• We are upgrading our code from 7.3 to 2024Q1.7, we found a new parameter for the two following methods:
  
  

  1. _samlSpIdpConnectionLocalService.addSamlSpIdpConnection()
  2. _samlSpIdpConnectionLocalService.updateSamlSpIdpConnection()

  The new parameters are boolean unknownUsersAreStrangers and String userIdentifierExpression.
   
  What are these new parameters for?

• 2024.Q1

• Regarding the first parameter you mention: unknownUsersAreStrangers:

SAML is a standards based protocol and a very large number of products & services can act as SAML IdPs. As such, controls over which users should be automatically provisioned on the SP when they do not already exist there need to be on a per SAML IdP connection basis.

The SamlSpIdpConnection entity was extended with a "unknownUsersAreStrangers" field of type boolean.

This field defines if users that do not exist already in the portal database should be classified as "strangers". Once classified, the portal instance's existing stranger handling policy as defined in Instance Settings > User Authentication > General will determine if the user will be automatically provisioned or not using information available from the IdP's SAML assertion.

This connects to the “Unknown Users Are Strangers“ SAML IdP config entry that can be set at editing entries at “Control Panel > SECURITY > SAML Admin > Identity Provider Connections”. When it is enabled, so its value is true, the stranger handling that is configured at “Control Panel > CONFIGURATION > Instance Settings > User Authentication” is being applied.

Checking the “Unknown Users Are Strangers“ SAML IdP config entry at editing entries at “Control Panel > SECURITY > SAML Admin > Identity Provider Connections” results that the same logic is applied at importing the user data through the SAML connection that is configured for the stranger handling at the “Control Panel > CONFIGURATION > Instance Settings > User Authentication” for the “Allow strangers to create accounts?” entry.

• userIdentifierExpression
   
  

  {UserFieldExpressionResolver_key}[:argument]

  An expression to identify the UserFieldExpressionResolver to use to resolve a UserFieldExpression to use for user matching. Mostly it is synonymous to UserFieldExpressionResolver_key , and out of the box there are 3: “none”, “dynamic”, “attribute”.

  The UserIdentifierExpression is stored into the SamlSpIdpConnection.

  This field connects to the “User Resolution“ field at editing entries at “Control Panel > SECURITY > SAML Admin > Identity Provider Connections”. The radio button entries has the “none”, “dynamic”, “attribute” values in this order. However this list is dynamically built based on implementations of the UserFieldExpressionResolver SPI .

  It is an implementation detail of each UserFieldExpressionResolver SPI implementation if it requires [:argument] when it is used by DefaultUserResolver to resolve the user.

  At the time of writing, only the “attribute” one requires this OoTB. See liferay-portal/modules/dxp/apps/saml/saml-web/src/main/java/com/liferay/saml/web/internal/opensaml/integration/field/expression/resolver/AttributeUserFieldExpressionResolver.java at 6ce0b9eb049e99a50285a324a3bd4afd76d340ab · liferay/liferay-portal